11.10.11

Lulzsec hacker: 'we still have Sun emails, stored in China'

Sabu, the erstwhile leader of the hacking crew, says he is effectively on the run as he gives interview to Reddit readers about LulzSec's achievements, Facebook, sentencing and more

The LulzSec hacking group hit a number of sites in a spree in May and July 2011;

now its leader Sabu has given an interview on Reddit. Photograph: Reuters

The hacker who styles himself "Sabu", erstwhile leader of the LulzSechacking crew, claims to have a cache of emails copied from the Sunwhich are being stored on a Chinese server, along with data from a number of other hacks.

But he claimed this weekend that they will not be released yet: "there are a lot of interesting dumps we're sitting on due to timing," he wrote on his Twitter feed. He claims that hackers have broken into banks including HSBC and "a few others" but that they have found "no smoking guns yet" in the data there.

Sabu – who says his online handle is a tribute to the American professional wrestler – says that after the arrests in the UK and US of a number of people alleged to have been involved with the crew, he is effectively on the run. But his writing also suggests he is staying put where he lives.

"I'm past the point of no return. Not trying to sound like a bad ass, however, it's the truth," he wrote. Later he added: "The ironic twist will be that my own friends will take me down, and not these idiots who hide behind the patriot veil." He also says that "technically, I'm on the run, so there you go."

LulzSec was an offshoot of the Anonymous hacking collective which during a hacking spree in May and July 2011 broke into a number of sites, including Sony Pictures Europe, Fox.com, PBS and finally the News International site.

At the latter it altered the Sun's web page so that it redirected viewers first to a faked story about Rupert Murdoch's death, and then to their Twitter feed. The group also attacked the US Congress's web site, an FBI affiliate and brought down the web site for the UK's Serious Organised Crime Agency by using a "distributed denial of service" attack.

Sabu effectively acted as the leader of the group, maintaining discipline over what they did, as leaked chatroom logs published in June by the Guardian show.

At that time he told members of the crew not to give interviews – but says his willingness to do so now is because "that was during the height of LulzSec. We all agreed to do no interviews till the end if there was ever one."

LulzSec's achievements, he says, were that it "exposed the sad state of security across the media, social, government online environments".

After the Sun hack, Sabu claimed on his Twitter feed that he was looking at 4GB of emails from the company. The claim was never confirmed, although remote access to News International's systems had been compromised.

Sabu's revelations came in a long and sometimes detailed "Ask Me Anything" (AMA) thread on Reddit. Sabu responds to a number of questions and appears to reveal a number of details about himself, such as that he is married, studied social sciences and English, that his technical hacking skills are self-taught, and that he teaches "sometimes". He claims to speak three languages – English, Spanish and German – fluently, and to have "decent" Portuguese and Italian. He says he turned towards computer hacking in 2000, when the US government "ignored the peoples' please to stop bombing Vieques" – a part of Puerto Rico used by the US navy as a bombing range until 2003. He says he likes working on cars, playing music and spending time with his family: "I'm loving life a lot this year. I barely have time for ops [hacker operations] like I used to."

That confirms other details that have been collected by rival hackers about Sabu which suggest that he is of Puerto Rican extraction, aged about 30 and based in New York.

He insists that he had no knowledge of the identities of any of the other members of LulzSec. "I simply don't know anyone's identity at Anonymous." He says that when one alleged member was arrested in the Shetland Islands, north of Scotland, he had to go and look up its location: "I was a bit impressed, even." He vehemently denies the suggestions by some that he "snitched" on other LulzSec members to the authorities.

The breakup of LulzSec meant he has "lost too many friends. [I] will probably never talk to them ever again." But he thinks that it "has already achieved what it set out to achieve".

He suggests that one of the LulzSec members, called Avunit, who quit the group when it took aim at the FBI, "is relaxing somewhere on a boat".

Asked whether he is "safe", he replies: "no one can prove it's me anyway. The beauty of Anonymous." The closest that the authorities have come to him is when in September they arrested a hacker alleged to have gone by the online handle "Recursion", who was tracked down via logs held by the British company HideMyAss, which unwittingly provided a virtual private network (VPN) connection for the attack on Sony Pictures Europe.

That arrest was "probably the closest they ever got", Sabu says. He also makes a veiled threat against HideMyAss: he alleges it "turns out to be owned by some … people who are going around buying smaller VPN providers ... We should have a nice exposé for HMA and its mother computer/investors soon. Point is: research your VPN provider thoroughly."

He says he takes a number of precautions to evade law enforcement, using prepaid phones and BlackBerrys for calls and Twitter: "they're expendable. I don't ignore you, I simply don't know you." He trusts Twitter – to some extent: "believe it or not, Twitter has not been sleeping in bed with LEAs [law enforcement agencies]. In fact it's a process [for LEAs] to get account info."

He rails at the sentencing guidelines in place for computer activity: "The penalties for any cybercrime (with the exception of child pornography) is severely archaic. And enforced by non-computer users. A DDOS (distributed denial of service) should not [attract a sentence of] 10 years at all especially when rapists and murderers do LESS than time." (The Guardian's James Ball made a similar point earlier this year.)

He thinks a hacking attack against Facebook "is pointless unless some very courages [sic] individual go and burn down its datacenter containing DBs [databases]". But he calls Facebook "a serious global cancer … they have half a billion people's psychology and family down in a database".

LulzSec does not have a Google Plus account, he says: "We do NOT have a g+ account. So whoever is running it is more than likely posing and has no affiliation to us." (Other Reddit users said that files distributed from that account contain malware.) Google Plus was launched well after LulzSec apparently broke up.

His advice to would-be emulators: "Stick to yourselves. If you are in a crew – keep your opsec up 24/7. Friends will try to take you down if they have to."

Anonymous, he says, is "no leaders, no hierarchy, no cointelpro [counter-intelligence program] drama. And we are a living, moving mass of like-minded individuals." He says it is "pure democracy", though that can be anarchic. But he thinks it will spawn "many organisations and political parties". But he says that "you don't need to be 'anonymous' or need to hack to be Anonymous. It's an idea, not a job."